I just want to make sure I have not over looked anything in setting up a small wireless network for a business. There are 6 total computers hooked into the network in which five of them are connected wireless.

I am using WPA2 with a nice long keycode. I change the keycode every 3 to 4 months.

All computers a up to date with patches and AV.

The network is running fine at this point. Is there anything else I need to be doing or add to the network to make it more secure? Should I be using something or looking at logs to make sure no bad guys are on the network? I didn't know if untangle or opendns would be overkill?

26 Replies

Is there any file sharing? If so you might want to set up a workgroup or simple domain. A domain is a little more work up front but it saves a lot of headaches in the long run. For an operation that small, you can install a server on a cheap PC and host AD and files from there and back it up using Mozy Pro. Nothing fancy.

The only other thing I do on my wireless network with a small number of users is MAC filtering. It's just one more level of security but so far, I've never had my network hacked. I allow the wireless and wired NIC addresses of those computers on my network. I allow the wired so if their wireless ever flakes out, they can still have Internet.

Sorry, I forgot to put in there, I did set up a workgroup for them. I also setup a NAS because they wanted a central place to store their files. I have the primary NAS backing up to another NAS every night.

Sorry, I forgot to put in there, I did set up a workgroup for them. I also setup a NAS because they wanted a central place to store their files. I have the primary NAS backing up to another NAS every night.

so wpa2.... hmmm, what type of business? any governing authorities like HIPPA or PCI DSS?? What industry? These are some basic questions to be asked for sure...

If you have compliance things like HIPPA or PCI DSS etc.... then yes there is alot more that you should do to secure it.....

Keep in mind that wpa2 can be broken, and broken rather quickly now days i might add.... (a laptop that has a nvidia or ati high end video card that supports stream or cuda can break wpa2 in short order 15minutes - 3hrs....) and many of todays laptops do have this feature and do support this....

change keys every 5 days 15 days tops.... keys should be a min. of 27+ characters in length (ours are in the range of 47+) implement radius or some form of 2 factor authentication....

firewall, and AV, as well should all be kept up to date and end users should not be allowed to turn them off....

if you have to comply with hippa or pci dss or other, I look at Intrusion detection hardware ontop of the other stuff.....

is this fanatical? yes. but ask your customers what they would want you to do..... and 99% of them that have any type of data about them on your network..... they will tell you to mitigate the risks..... at all costs.... its not just your data that you are responsible for its also your clients information as well as your end users....

ok so its a sign making business, does the book keeper have a share on the nas??? Account or contract info for customers on the nas?? where is the payroll kept, on a server or on the NAS, if you backup files to the nas every thing will be there so one stop shopping for the criminal right? encrypt the nas should be a check box on your todo list, as well as the 7 workstations.....

The best thing you can do is use a solid protocol like WPA2. Hiding the SSID really isn't secure. Every now an then your network will transmit unencrypted frames in clear text and in there is the SSID. A sniffer can pick this out. Same thing with MAC filtering. You can easily spoof a MAC by sniffing the traffic of client and pull out the MAC.

If that is the only security you put in place, I agree. But the combination of MAC address filtering, WPA2, and hiding the SSID should work fairly well.

But according to that article, hiding the SSID makes the whole setup less secure than if you don't do it--including other security measures.

It's like tinting the back windows of your car as an ADDED security measure to obscure the expensive stuff you just placed in there. However, Microsoft did the tint job and etched in silver tint are the words, "Microsoft tint to obscure the cash and expensive jewelry in the back seat".

In my experience, which is fairly limited with wireless, hiding the SSID will cause some devices to show the networked as unsecured, as will using the wrong encryption type (AES vs TKIP, etc). With hiding the SSID, the problem with that is if a computer doesn't remember the network for some reason, then the user will have to manually enter the network name and security key each time they connect. I don't have a problem with broadcasting the SSID as there are enough other security features in place that if they get onto the wireless network, they can't really do anything from there. I don't have much of anything shared out that would jeopardize our whole network anyway either.

If my understanding is correct, it may be a good idea to change the SSID occasionally as well -- it was 6 months to a year ago that I was looking into it, but if I remember correctly, WPA and WPA2 use the SSID as well as the encryption key when generating the code.

We have a similar problem here. We're a manufacturing firm, with "Data Collection" points throughout the shop (old P3's running a really simple app with a barcode scanner). Needless to say, they don't need a fast connection, they just need a connection. A few spots are out of reach of the cable runs, so we were using wireless here.

The first setup they had was a unencrypted, hide the SSID, and we're secure bit. Yeah. That was one of the first projects I worked on here -- we now use RADIUS tied in with our active directory. If you can manage it, it's sweet -- there are no encryption codes, it just sends your authentication over the network, the AD verifies it, and you are in.

Downside is it's complex. Took a few months to get it up and running as it should be. And, you need an AD and higher-end routers.

But that's my $0.02. As long as you keep the encryption code something non-english, and change it as you have been, you should be in good shape.

WPA and WPA2 should give you no problems in security if you use a good long password and change it once in a while.

We're using WPA with AES and a 63 charecter ASCII printable key for the password, nothing that a dictionary file will be able to attain. I use www.grc.com/password which generates unique password for each visitor and you can mash it up youserlf afterwards to get more entropy out of it.

For WEP I know it can be cracked within 15minutes or less but I have not heard something like this for WPA or WPA2 especially unless you are using a dictionary word where brute force will get this eventually. I'd love to know how to break a 63 char key on WPA or WPA2 in a matter of hours; everything I've read and heard about points to years of work on random ones.

SSID hiding I haven't seen much merit in since a serious hacker can find this if he wants to, I've seen this more of a way to keep away leechers that just want to see if you have a password of "Password". MAC address can go the same way, not too hard to find if you want.

Obsucrity can help a lot with your SSID especially if there are a lot of other wirelss points around from residential or commercial, don't make it stand out.

Best of luck on your project.

BTW, be careful with your NAS (most likely a linux OS?) if you go the way of AD and NTFS security. We've had problems integrating linux security premissions with NTFS for a very special case that we use it for.